Skip to content

ci: pin third-party actions to commit SHAs and add least-privilege permissions#19

Merged
OgeonX-Ai merged 1 commit into
mainfrom
ci/sha-pin-and-least-privilege
Jul 8, 2026
Merged

ci: pin third-party actions to commit SHAs and add least-privilege permissions#19
OgeonX-Ai merged 1 commit into
mainfrom
ci/sha-pin-and-least-privilege

Conversation

@OgeonX-Ai

Copy link
Copy Markdown
Contributor

Summary

  • Pins every third-party GitHub Action uses: reference across all 6 workflow files (ci.yml, codeql.yml, compatibility.yml, pages.yml, pr-lint.yml, stale.yml) to an immutable 40-char commit SHA, with a trailing # vX.Y.Z comment for human readability.
  • SHAs re-resolved live via gh api repos/<owner>/<action>/commits/<tag> against the tags actually present in the files (they had already moved past the plan's 2026-07-06 audit table to newer major versions via dependabot), then cross-checked against cas-reference-product's already-pinned ci.yml for checkout@v7 and setup-python@v6 (byte-for-byte match).
  • codeql.yml, pr-lint.yml, and stale.yml already carry job-level least-privilege permissions: blocks matching exactly what REQ-1.4.10 calls for (added upstream since the plan's audit) — no permissions changes were needed, only SHA-pinning.

Scope note

This PR only touches .github/workflows/*.yml. It does not modify compatibility.yml or pages.yml beyond action pinning, and does not overlap with the file set changed by open PR #18 (fix/registry-resolvable-id), which touches schemas/docs/tests, not workflow files — no merge-order dependency between the two.

Verification

  • pwsh -File scripts/workflow-lint.ps1 -Path portfolio/cas-contracts -Jsonworkflow-lint: clean. (zero findings across unpinned-action / missing-permissions / missing-timeout checks)
  • No Azure deploy steps in any of the 6 workflows (Pages deploy only) — NO-AZURE operator lock does not apply.

Not merging — opened for review per REQ-1.4.10 supply-chain hardening (Phase 31).

🤖 Generated with Claude Code

…rmissions (REQ-1.4.10)

- Pin all uses: refs across ci.yml, codeql.yml, compatibility.yml, pages.yml,
  pr-lint.yml, stale.yml to immutable commit SHAs with trailing # vX.Y.Z comments
- codeql.yml, pr-lint.yml, and stale.yml already carried job-level
  least-privilege permissions blocks (added upstream since the plan's
  2026-07-06 audit); no permissions changes were needed
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@OgeonX-Ai OgeonX-Ai enabled auto-merge (squash) July 8, 2026 17:02
@OgeonX-Ai OgeonX-Ai merged commit b8ced07 into main Jul 8, 2026
6 checks passed
@OgeonX-Ai OgeonX-Ai deleted the ci/sha-pin-and-least-privilege branch July 8, 2026 17:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants